As DDoS attacks become more frequent, IT needs to add preventive measures to its security roster.
“If you push something hard enough, it will fall over.”
This concept may have comedic origins (it’s Fudd’s First Law of Opposition, from The Firesign Theater), but it’s all too accurate in the world of IT security as well.
Yes, if you overload a system, it will fall over — that’s what Denial-of-Service attacks (“DoS”) are all about. And while one given source might not be able to hit hard or often enough to do serious damage to your system, a million attackers can, all too easily. That’s a Distributed Denial-of-Service (“DDoS”) attack.
Granted, not all DoS and DDoS events begin with malicious intent; legitimate users can easily overwhelm services — both digital and non — that haven’t been provisioned or architected for massive surges in use. Consider downloads of major new songs, videos, operating system releases, or movie trailers; “Black Friday” opening hour at malls; traffic on major holiday weekends; slowdowns and crashes at popular sites like Twitter, Google, and Amazon — and at sites linked to or recommended by Slashdot, Reddit, Digg, or other popular sites. Even the phone system on maximum-calling times like Mother’s Day can inadvertently experience denials of service (this problem still persists in some places).
But Distributed Denial-of-Service Attacks are, increasingly, being used maliciously. Over the past year or so,DDoS attacks have hit PayPal, Bitcoin, HSBC, Sony, and gaming sites like Microsoft’s Xbox Live and Blizzard’s Battle.net, along with many other businesses and government organizations.
And the number, type and range of DDoS attacks continues to grow, making DDoS detection, prevention and mitigation yet one more security to-do on IT’s already long security list.
The Challenges of DDoS
Because DDoS attacks can come from hundreds, thousands, or even millions of different IP addresses, it is often hard to identify the attacking machines and to filter attacks. The tools to create and conduct DDoS attacks are startlingly available and inexpensive — as low as a few dollars — while the cost to the attacked organization can range from $50,000 to $500,000 for each hour of the attack in lost sales or business disruption.
And attacks can last hours, even a full day.
DDoS attacks are often measured by how much network bandwidth they consume, or by the number of simultaneous connections being requested. Is it enough to saturate the network connection to the server or service? Or to overwhelm the application? While most attacks have been single-digit Gbps (billions of bits per second), at least one DDoS attack on a data center was pegged at over 330 Gbps, and tens of thousands of connections were affected. On the other hand, many new attacks use less bandwidth, while lasting longer and doing more damage.
There are many types of DoS and DDoS attacks, including DNS attacks, Layer 3-4 and Layer 7 attacks, ICMP flooding, peer-to-peer attacks, and SYN flooding. There is even one type called “Permanent DoS” (PDoS), or “plashing,” which refers to attacks that require hardware be reinstalled or replaced (for example, by causing hardware to overheat).
Dealing with DDoS Attacks
IT departments geared up to handle malware, intrusions, and other threats aren’t necessarily prepared for DDoS attacks. But that doesn’t mean there is nothing to be done.
Start by understanding that you can’t prevent DDoS attacks. Your goal is to harden your IT infrastructure to resist DDoS attacks, prevent or minimize the damage they can do, and to be ready to deal with damage that may eventually occur.
DDoS solutions include:
- Security appliances and software that reside in your network. This includes some components you likely already have, like firewalls and network switches, which may have settings that can help block DDoS attacks. There are also increasing numbers of DDoS tools out there to consider.
- Cloud-based services, which you divert all traffic through. With enough bandwidth to “scrub” traffic and absorb volume-based attacks, cloud-based services can work to pass the legitimate stuff along to your site (or to your services elsewhere in the cloud). Cloud-based services offer the simplicity of not requiring you add hardware or software, or other integration.
- Hybrid DDoS protection. Many organizations are adding both premises-based hardware and cloud-based services to their security repertoire.
It’s also important that your IT and customer support staff be ready to react during DDoS attacks. This includes alerting related departments (for example, caution accounting to not approve unexpected large financial requests) and providing places for users and customers to register complaints with.
When choosing solution partners:
- Look for tools and services that allow for easy ways to add ad hoc patterns and policies
- Pay attention to service scalability/elasticity
- Engage a trusted partner to synthesize security efforts across your IT system
What’s important to remember is that whatever you set up has to be automatic in its responses. Manual response will take too long, and by the time you’ve completed it, your mission-critical IT has probably succumbed to Fudd’s Law and fallen over.
Tags: Blog